Global shared state validation - Duplicated message issue #3
Conversation
MatheusFranco99
changed the title
iurii-ssv
left a comment
iurii-ssv
left a comment
There was a problem hiding this comment.
LGTM, 1 other thing I would also maybe cover in this write-up is about serializing message validation, namely:
- we receive many different messages from different peers in parallel
- to validate the message against
peer-state(and record validation results for future re-use) we acquire a lock identified bypeerID+msgIDand release it once we are done withpeer-statevalidation - to validate the message against
global-state(and record validation results for future re-use) we acquire a lock identified bymsgIDand release it once we are done withglobal-statevalidation
p2p/MessageValidation/Rules.md
Outdated
|
|
||
|  | ||
|
|
||
| This image illustrates the *Covert Attack*, in which a peer malicious sends two "logically duplicated" messages |
There was a problem hiding this comment.
in which a peer malicious sends -> in which a malicious peer sends
p2p/MessageValidation/Rules.md
Outdated
|
|
||
| Most importantly, note that such a global shared state is exactly what others should understand as this peer's specific-state | ||
| (i.e. `A.global_shared_state == B.peer_specific_state[A]` for any A and B with appropriate synchronization). | ||
| Thus, if the message is accepted against such a state, other peers will also accept it. |
There was a problem hiding this comment.
Thus, if the message is accepted against such a state, other peers will also accept it. -> Thus, if peer A accepts the message against his global state, other peers will also accept the broadcast of this message from peer A.
| All rules are verified against the peer-specific state, and after it: | ||
| - If there's any error, the appropriate `Ignore` or `Reject` is returned. | ||
| - Else, the message is again validated but this time against the global shared state. | ||
| This prevents the node from propagating duplicated messages. Then: | ||
| - In case there's any error, `Ignore` is returned (even if the triggered rule has `reject: true`) as we can't blame the peer for the error. | ||
| - Else, `Accept` is returned. | ||
|
|
||
| More about the global shared state validation is discussed [below](#global-shared-state-validations). |
There was a problem hiding this comment.
This section hasn't been changed to reflect the check is inverted now (now we check the global state first, then we check peer-specific state) ?
Also, throughout this document we are using "Ignore" and "IGNORE" (and same for rejects) interchangeably ... probably better to use just one of these.
|
|
||
| - Proposal and round-change justifications were not included because they are too complex to implement at the message validation level. The cost of adding this complexity is not justified since the message count check already prevents any related attack. | ||
|
|
||
| ### Global Shared State Validations |
There was a problem hiding this comment.
Since this section describes validation in general (not just global-state validation) maybe change the header to something like Global Shared State Validations -> Global vs Peer State Validations
| D -- No --> F | ||
| ``` | ||
|
|
||
| **Summary**: The node MUST apply all rule checks first to the global shared state. For any rule that, if violated in peer-specific state, would cause rejection, a secondary peer-specific check MUST be performed. If the message fails that peer-specific check, it MUST be REJECTED. If it passes the peer-specific check but still violates the rule globally, the message MUST be IGNORED. If it passes all checks globally, it MUST be ACCEPTED. |
There was a problem hiding this comment.
I think here we are talking about global state:
For any rule that, if violated in peer-specific state, would cause rejection -> For any rule that, if violated in global state, would cause ignore or reject
... but this whole summary doesn't look 100% correct to me, I would remove it entirely given that it just tries to make the detailed description provided above shorter while actually "making it harder to understand how the validation flow is supposed to work in step-by-step manner".
| **2. Peer-Specific State Validation** | ||
|
|
||
| For completeness, prior to any global state check, messages MAY be initially checked against peer-specific state for any checks directly related to penalizing peer misbehavior relative to their historical activity. Peer-specific checks MUST only result in penalization or rejection if the message definitively violates protocol rules in the context of that peer’s known state. |
There was a problem hiding this comment.
Since section-1. already describes how to use peer-specific state to validate messages this whole section-2.:
- isn't really adding anything new
- and I would even say it only adds confusion because it says
messages MAY be initially checked against peer-specific statewhile the section1.says that we MUST check the global state first (the node MUST first validate the message against all protocol rules using the *global shared state*)
| - If the corresponding rule may later result in rejection when applied to peer-specific state (i.e., is classified as REJECT in this document), the node MUST proceed to validate the message against *peer-specific state* for this peer: | ||
| - If the message fails the peer-specific check for this rule, the node MUST REJECT the message according to the rule's classification. | ||
| - If the message passes the peer-specific check but failed the global check, the node MUST IGNORE the message. This ensures the peer is not penalized for a condition it cannot control. | ||
| - If the rule is not a REJECT rule, the node MUST IGNORE the message. |
There was a problem hiding this comment.
There are 2 types of "REJECT rules":
- those that DO NOT require an additional check against peer-state (eg.
Error{text: "signer is not expected", reject: true}) - those that DO require, which is basically what
If the corresponding rule may later result in rejection when applied to peer-specific state (i.e., is classified as REJECT in this document), the node MUST proceed to validate the message against *peer-specific state* for this peerdescribes
so I would change/expand this section like this:
- If the rule is not a REJECT rule, the node MUST IGNORE the message.
- If the rule is a REJECT rule and it doesn't require an additional check agaisnt **peer-specific state**, the node MUST REJECT the message.
- If the rule is a REJECT rule and it does require an additional check agaisnt **peer-specific state**, the node MUST proceed to validate the message against *peer-specific state* for this peer:
- If the message fails the peer-specific check for this rule, the node MUST REJECT the message according to the rule's classification.
- If the message passes the peer-specific check (but failed the global check), the node MUST IGNORE the message. This ensures the peer is not penalized for a condition it cannot control.
Overview
This PR solves the issue with message validation caused by a duplicated node running,
which can cause a honest node to propagate duplicated messages.